Helping the OSINT community stay curious

After the GDPR: researching domain name registrations

Today, nearly every part of our lives can be digitised by tracking and logging everything we do. Every journey we take, every purchase we make, or even every heartbeat can be digitised today. Because of the vast amount of personal information that is being collected, stored and also traded by companies and governments, the EU has decided to strengthen data privacy by introducing the European General Data Protection Regulation (GDPR), a new European regulation that went into effect on 25 May 2018.

On the one hand, from a data protection point of view, this new regulation strengthens millions of EU citizens’ privacy by protecting their personal data. On the other hand, from an OSINT point of view, the GDPR makes it more challenging to find open source information, especially information which was once publicly available. For example, researching domain name registrations has become a lot harder, which requires different tools and techniques that we will briefly discuss in the following.

Light in the dark

Everyone feared that researching domain name registration wouldn’t be possible anymore. Well, it’s true that it hasn’t got any easier to find our whoever registered a domain name, but it’s certainly not impossible.

There are a lot of good sources which you can use to research domain name registrations. We want to share our favourite tools and tricks with you to hopefully make your research a little bit easier.

Getting the toolbox out

Let’s have a look at some free resources first and a paid one at the end; there are quite a lot of them, but we’ll show you some of our favourites:

Domainbigdata.com

If you aren’t familiar with domainbigdata.com, you might be missing out. Domainbigdata lets you search for any domain, IP, email address or registrant name.

When researching a domain here, it gives you a lot of information, like other top-level domains which are similar. They also show you if there are any other domains registered with the same email address. Where possible it also shows historical Whois records, so even if the registrant is moved behind a proxy the information might still be visible here.

Viewdns.info

This is an oldy but goody; viewdns.info They haven’t changed their interface since at least 2011, but it is quite good. They give you a good set of options to research a domain name.

And there is a neat trick when searching in the ‘Reverse Whois Lookup’ box (middle box at the top); use the * as a wildcard while searching. You can use this at the beginning or at the end of a search. E.g. the website you are investigating has email addresses ending on the domain your researching. You want to know if there are any domain registrations made with that email address, than search for *@example.com Or, if you want to know is your person of interest has registered a domain using his name in an email address, search johndoe@*

Another helpful search box is the one called ‘Reverse IP Lookup’ which returns websites hosted on the same IP. When the website in question is hosted on a dedicated server (instead of a shared hosting platform), this might return other sites owned by the same person or company. And sometimes you find that those domains don’t have the registrant information shielded.

Of course, keep in mind that fake email addresses could be used when registering a domain.

Pulsedive

Pulsedive.com is a Cyber Threat Intel platform but gives you some great info on a domain. Other than it indicates if it was related to any cyber threats, it gives you related URLs, related domain names, who.is-information and much more. Definitely worth giving a shot!

Apnic/Lacnic

The GDPR is a European regulation. Although a lot of non-European businesses have decided to comply, this goes not for all of them. Sometimes when you’re looking into a non-European who.is-database, you’ll be able to find some interesting information. Apnic (responsible for IP addresses in Asia and Australia) doesn’t necessarily have to comply. They have an impressive ‘WhoWas‘ section here you can view pre-GDPR domain registrations. Which might give you just a little more info than on a website where they follow the GDPR rules.

Domaintools (paid)

Domaintools.com has always shown some pretty good information. For quite some time they had some excellent features for free, like the who.is-history. Unfortunately, most of the good options on ‘domaintools’ are now behind a paywall. But, if you’re in a position to afford a licence, you’d be quite lucky. Domaintools also suffered from the GDPR, so they created an investigation tool; Iris.

Iris gives you to the possibility to compare domains, look at hosting and see what other domains might be related etc. In the beginning, Iris might feel a bit weird, but once you figured out who to use it, it’s quite impressive.

Don’t forget about…

If you have trouble researching a domain name registration and all of the above options are not getting you anywhere, there are some other things to take a look at:

Archived versions of the website (they might show you old contact details, there might be hidden gems in the source code of a site, or maybe you’ll still be able to find EXIF data in any images. Check out Archive.org or Archive.is)

Similar websites (this might not always work, but check if there are identical websites via tools like Similarsites.com and you’ll might be able to find some extra information)

Subdomains (use tools like Findsubdomains.com or Pentesttool to figure out if any subdomains might tell you something about the owner of a domain)

Domain name registration websites (sometimes a domain registration website has a who.is section too. GoDaddy has one, so has Freenom who issues .tk-domains)

Source code (you won’t have to completely understand HTML, or other languages, to spot interesting things in the source code like an ‘autograph’, a link to another website or maybe the images on a site are pulled from a folder path where you can find interesting information. Use tools like PublicWWW or NerdyData to find that specific piece of code on other sites)

UA-code (Google Analytics code; use AnalyzeID to find other websites using the same UA using the 3 free searches for guests, or register an account for free to receive additional search credits)

Hosting IP (check which IP is hosting the domain and if the IP hosts any other domains which might be related. Viewdns.info is one of many where you can find our which IP is hosting the site)

SSL certificates (use a source like Certdb.com or crt.sh to find out more about a certificate. Sometimes you find another email address or other information like where they bought their certificate)

If you feel like your ultimate favourite tool or trick is missing, please feel free to leave a comment below!

You left out whoxy.com, which is one hell of a lot cheaper than domaintools. I’ve been using it a lot for various kinds of reverse lookups and also for historical WHOIS records… although what they have is a bit spotty, and not nearly as deep or comprehensive as Domaintools. Still, for cheapskates like me, you can’t beat it.

P.S. hanks for teh info (and the trick) about viewdns.info. I didn’t know about that one!